In outer space, many earthly rules and standards don’t apply. But if space exploration has proved anything, it is that like the universal Law of Gravity, the Law of Murphy also extends throughout the known universe.
“If something can go wrong, it will go wrong,” is the classic phrasing of the observation attributed to rocket scientist Edward A. Murphy Jr. half a century ago. But space historians point out that the original formulation of Murphy's Law was more limited: "Every component than can be installed backward, eventually will be."
The latest proof is the highly embarrassing crash of NASA’s Genesis capsule, carrying samples of the solar wind that were supposed to provide clues to the origin of the sun and the entire solar system. The parachutes failed to deploy over Utah last month, and the disk-shaped craft smashed into the ground at full speed.
An investigation team has now determined that the deceleration sensors — the accelerometers — were all installed backwards. The craft’s autopilot never got a clue that it had hit an atmosphere and that hard ground was just ahead.
The late historical engineer Murphy — whose presence, or at least influence, is sorely missed today — uttered his original observation in connection with one of the gut-wrenching rocket-sled tests in the 1950s. Such tests subjected equipment, and eventually a human volunteer, to peak forces of 50 G's or more. After one run in which the test subject, Dr. John Stapp, nearly had his eyes torn out of their sockets by the shock, Murphy had to break the news that there were no force measurements because the sled’s sensors had been mounted backward. The whole eyeball-popping test would have to be done over again.
How can the same mistake keep happening?
Following the crash of the Genesis probe half a century later, caused by the same type of mistake, a common reaction is to blame the on-the-scene engineers for the foul-up — and indeed, they were the last ones to touch the doomed hardware. But that assignment of responsibility has been going on for decades, and isn't very effective.
Space observers recall the NASA announcement in 1999 that one of its Mars probes had crashed into the planet because workers had mixed up metric and English units of measurement. The story was a real howler, and had elements of truth to it — but it was fundamentally a cover-up and a diversion.
It did turn out that engineers who built the Mars Climate Orbiter had provided a data table in "pound-force" rather than newtons, the metric measure of force (about equivalent to the downward weight of an apple in your hand). NASA flight controllers at the Jet Propulsion Laboratory in Pasadena, Calif., had used the faulty table for their navigation calculations during the long coast from Earth to Mars.
Upon arrival, the probe did not skim the upper atmosphere, as it had been aimed. Misled by the wrong numbers, guidance computers set it on a course that actually hit the atmosphere — where it burned up.
The easy answer — "blame the stupid contractors" — was actually a NASA public-relations gimmick to duck ultimate responsibility for the disaster. In order to promote the image of a faster-better-cheaper space program extolled by the Clinton administration, previously used checks and balances had been canceled. And reportedly, when space navigators intuitively developed a feeling that there was something wrong with the navigational database, they were told to hold the present course until they could prove something was wrong.
By then it was too late. The proper attitude should have been that in case of doubt, steer more safely, and take the corner at Mars farther out. NASA’s mismanagement, not a worker-bee foul-up, doomed that Mars probe.
The Genesis sensors
Fast-forward several years, and look at how the ground was prepared for the Genesis debacle. A helpful principle in high-tech engineering is to insist that if a design allows either of two different physical installations of a piece of equipment, the wrong one must be built in to be impossible to achieve. Mechanical devices all around us, from plugs and sockets to latches to gasoline pump nozzles, use this approach.
But with the Genesis accelerometers, apparently the approved design allowed either direction of installation. From the NASA report, it seems that the accelerometers had to be X-rayed to determine the internal up-down orientation of their sensors, which reportedly were described incorrectly in the technical drawings.
Each unit is about the size of a ball-point pen cap, with a small plunger inside, designed to compress under the atmospheric braking forces. Two pairs of the same type of device were mounted for redundancy, but no backup system — such as a timer, or a barometer or ground command capability — was installed. After all, these switches were reportedly developed as a nuclear warhead safety device, so one could just assume that they were properly wired.
Lockheed Martin’s lamentable list
This isn’t to say that one can’t create a horrifying chronicle of space mistakes made by space workers at Lockheed Martin. Aside from the Mars Climate Orbiter's crash in September 1999, and the loss of the Mars Polar Lander a couple of months later through an entirely different design oversight, "LockMart" has gone through a string of debacles that all look, in hindsight, as if they should have been predictable and avoidable.
In September 2003, a quarter-billion-dollar observation satellite was heavily damaged in a hangar when it moved without bolting it to its support frame. A review board recently attributed this to “lack of discipline in following procedures [and] complacent attitudes [and] poorly written or modified procedures.”
In 1998, a LockMart Titan 4 booster carrying a billion-dollar LockMart spy satellite exploded shortly after liftoff from Cape Canaveral, Fla., due to frayed wiring that apparently had not been inspected. The following year, the expensive LockMart Milstar 4 satellite was placed into a useless orbit by a LockMart Titan/Centaur upper stage, because of erroneous calculations fed into the Centaur guidance system. (Explanation: “Engineers were traumatized by the Columbine shootings.")
But LockMart is hardly the only space organization that has made these kinds of mistakes. Any search for cultural weaknesses that allow such human errors to have such horrible consequences must cast a wider net.
Short-term memory loss
In the case of the Genesis failure, the threat of an accelerometer problem should have been fresh in NASA’s mind. This is because they had seen much the same mistake occur on another space probe less than a decade earlier — fortunately, without such fatal results. As Galileo dropped its once-in-a-lifetime entry probe into Jupiter’s atmosphere in 1995, observers back on Earth held their breath to receive relayed radio data from the descending probe. The parachutes were late to open — it fell right through some layers of the atmosphere it was supposed to measure — and popped out about a minute behind schedule.
Why the delay, and how close to total disaster had the project come? It turned out that the probe’s "G-switches" (accelerometers) had been miswired. They weren’t installed backwards, but the data lines from the pair were switched each to the other.
In a technical discussion in an Internet space-engineering chat room, Charlie Sobeck, who identified himself as working in "probe engineering," agreed: "The acceleration switches that sensed the entry into the atmosphere were wired backwards! An embarrassing error, and one we thought we had carefully tested for, but an error that occurred nonetheless.”
Space historian Henry Spencer elaborated on that story. “It wasn't a sign reversal,” he explained, “but the fact that there were two G-switches with different settings.” As a result of signals arriving at different times, the cross-wiring led the autopilot to misunderstand the readings. It erroneously declared one of the two "failed," and then used a backup algorithm for the remaining one. Unfortunately, that one had different G-settings than expected for the algorithm. It was only by luck that the spacecraft decided to pop the parachute at all.
“The interesting thing,” Herbert added, “is that the probe was G-tested in a centrifuge, and the results from that test were correct! Apparently the test harness was also miswired” the same way that the probe’s twin accelerometers were.
Whatever lessons were learned from the Galileo probe near-disaster apparently did not reach any managers or workers associated with installing comparable equipment on Genesis.
Similar hardware has also been installed on NASA's Stardust probe, which has already collected fragments of a comet and is headed back to Earth with them. Engineers have studied design drawings of Stardust, which has a parachute re-entry system using the same switches as Genesis.
Investigators into the Genesis crash believe that Stardust is assembled correctly — if the documentation is accurate. "While the switches are the same, the installation ... is quite different," a NASA manager told journalists.
In the longer term, space engineers need to remember the lessons of the past — and remind their management, often too narrowly focused on schedules and costs. For half a century, Murphy and his legions of successors have paid a high price in time, treasure and even lives to map out the line between prudent and careless space design and operation. Each new generation, and each new project team, can't afford the same tuition over and over again. Some more respect for the past may be the only practical formula for a safe future.
James Oberg, space analyst for NBC News, spent 22 years at the Johnson Space Center as a Mission Control operator and an orbital designer.